@Faizi for an IPSec VPN you'd need to block ESP, UDP/500 and UDP/4500 - the best place for this would probably on your router.
ip access-list extended BLOCK-VPN
deny esp any any
deny udp any any eq 500
deny udp any any eq 4500
permit ip any any
interface gigabitethernet 0/2
description INSIDE Interface
ip access-group BLOCK-VPN in
If you are referring to an SSL/TLS-VPN that's slightly hard as that using TCP/443 and UDP/443, which would block access to most websites that use TLS.
a firewall and umbrella have some similarities but they have different purposes. a firewall is meant to monitor and block traffic into and out of your network in simple terms. umbrella is how you filter what websites your users visit via DNS/web as @Rob Ingram said. One is not better than the other in fact depending on your network it would most likely be recommended to use both or devices similar to both. If i am not mistaken a NGFW could also act as a DNS/web filter but it would not hurt to also use Umbrella but there is still some issues with sites that use SSL like various 18+ websites which become slightly harder to block.